Data Breach? Strategies to Stem the Damage

By Chris Sullivan

Sony Pictures is merely the latest in a string of cyber attacks that have hit high profile brands this year. With Sony’s shares plummeting more than 10% since the beginning of last week, the brand has suffered tremendous financial and reputational losses.

In today’s digital world it’s not just a matter of whether you’ll get hit by a cyber attack but when. Therefore having a robust communications strategy in an event of a security breach is not just a ‘nice to have’ requirement but a necessity. So what are the most effective tactics that can help CMOs and CIOs handle a cyber breach and mitigate the reputational damage for their business?

Rule number one is never to distort the truth. Imagine that your credit card information was stolen from your favourite retailer and they didn’t tell you. Most likely you’ll be infuriated, so will your customers! Urban Outfitters made this mistake earlier this year when its head of information security questioned whether a company needs to go public when hackers get hold of customers’ private information. She even claimed that the earliest time consumers should be notified of a security breach is three months after the incident has occurred.

Such an approach to handling security incidents can have detrimental consequences for the brand image of an organisation. What a business needs to do instead is get its facts straight, organise the key points, and tell it like it is.

After all, consumers are beginning to recognise that nothing is 100% secure and there is always a certain level of risk. For instance, making retail absolutely secure would require multifactor authentication including chips, key fobs, fingerprint or retina scans combined with 20-digit passwords. No one would do it because it is not financially sustainable and it’s too complex to practically implement. While consumers realise that there is an inherent risk, in let’s say, using a credit card, they are relying on organisations to minimise this risk and to be honest with them if something goes wrong.

Hiding information from customers in an event of a data breach is equal to reputational suicide. The one case where retailers get a pass on transparency is when law enforcement has explicitly requested them to conceal breaches for the sake of an ongoing investigation.

Actually, it’s often law enforcement detecting the breach in the first place. Unfortunately, most breaches are detected by someone who may not even be employed by the target and often months after the intrusion has begun. By the time the breach is uncovered, the damages are substantial and the efforts required to cope with it are massive. The reason for this is that most organisations have poor visibility into their systems and don’t really understand how sensitive data is being used and accessed. This results in huge delays in spotting abnormal activities and detecting security breaches.

The outcome of these security shortfalls is that breached organisations are slow to come forward and publically acknowledge the cyber attack and are even slower in understanding exactly what happened and which customers have been affected.

To avoid this embarrassment, businesses need to have real time insight into the patterns of everyday access, including how sensitive data is being used within the organisation. This will enable businesses to continuously monitor data access for anomalous patterns and problems, such as orphan accounts, duties that need to be segregated, ill-conceived provisioning or just unusual activity. This will provide CMOs and CIOs with clear visibility into what’s happening with sensitive data, which customers have been affected by the breach and how.

Having this information at their fingertips will be vital for handling a cyber security crisis as they’ll be able to quickly notify targeted customers about the incidents and take proactive measures to close down all system vulnerabilities. Most importantly, this will enable CMOs to take effective actions to alleviate issues with affected customers and address their concerns before they have turned into major problems and resulted in customer churn.

By Chris Sullivan, VP Advanced Solutions at Courion.

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/